Lab for Automated Reasoning and Analysis LARA

Note on Buffer Overflows

A study published as a White Paper by Cisco Systems “Economic Impact of Network Security Threats”, describes virus Code Red,

“Code Red (2001)

The Code Red worm was a self-replicating malicious code that exploited a known vulnerability in Microsoft IIS servers. Code Red attempted
to connect to TCP port 80 on a randomly chosen host. When a successful connection to port 80 was achieved, the attacking host sent an
HTTP GET request to the victim, attempting to exploit a buffer overflow in the indexing service. Depending on the configuration of the host
that received this request, there were varied consequences. If the exploit was successful, Code Red began executing on the new victim host.”

and shows the world-wide economic impact to be $2.62 billion.

The occurrences of these errors were reduced subsequently by a serious push within the company to adopt programming language discipline and tools that effectively turns C into a language where array accesses can be checked to be within bounds.

Many of such errors could be prevented in first place by using memory-safe languages such as Java and Scala (or LISP, invented before C)